29 April, 2023 by Azad

How to Secure Apache on Ubuntu

Let’s talk about how you can secure Apache on Ubuntu using SSL. Let’s Encrypt is a CA that simplifies the process of acquiring and installing TLS/SSL certificates free of charge, allowing for the implementation of secure HTTPS encryption. Certbot, which attempts to automate most or all required processes, is included to make the process easier. Nowadays, Apache and Nginx have fully automated certificate acquisition and installation processes.

Some users may wish to use the Nginx web server and face issues while trying to secure it. Be sure to look at our previous post on secure Nginx on Ubuntu to learn all the necessary steps you need to know for properly securing Nginx on Ubuntu.

In addition, if you’re wondering about SSL, let me explain. Secure Sockets Layer (SSL) is the industry standard for encrypting data in transit over a network, protecting information such as credit card numbers, social security numbers, and other personal information from prying eyes. An SSL Certificate is considered a type of digital certificate that confirms the legitimacy of a website and makes it possible to communicate securely over the Internet. To conduct online transactions and protect the privacy of their customer’s personal information, businesses, and organizations should implement SSL certificates on their websites. Before we continue let’s take a look at Let’s Encrypt SSL benefits.

Table of Contents

Advantages of Using Let’s Encrypt SSL

Here are some advantages of Let’s Encrypt SSL:

Let’s Encrypt SSL’s free availability is a major selling point.
The setup is easy and takes little time. It’s meant to make using secure connections over HTTPS simple for anyone running a website. Obtaining certificates for Linux web servers is as simple as running two commands.
It has in-built aid for getting the free SSL certificate and setting it up. Apart from that, it utilizes a plugin within the admin panel to routinely renew your SSL certificate. They basically ask for a free server on your behalf and take care of its upkeep automatically.
Thanks to the certificate, communication between your site’s visitors and its servers is encrypted.
To individuals in need, they also offer credible forms of paperwork.
Those in need can rely on a huge network of community members for tailored assistance.
There is a remote possibility that Google Chrome won’t trust the server at any time because the browser is a Platinum Sponsor of Let’s Encrypt.
With Let’s Encrypt, you can secure numerous domain names with a single certificate by using the Subject Alternative Name Certificate. If your company has multiple websites or microsites, this might be a huge time saver.
Due to the ACME protocol’s server validation, there is no downtime throughout the certificate issuance process.

In this tutorial, you’ll learn how to use Certbot to install a free SSL certificate for Apache on Ubuntu, configure it for automatic renewal, and secure it on Ubuntu using SSL.

Instead of Apache’s standard configuration file, this tutorial will use a dedicated virtual host file. Suppose you want to keep the default files as a fallback configuration and reduce the likelihood of widespread mistakes. You should create new Apache virtual host files for each domain in that case.

Prerequisites to secure Apache on Ubuntu using SSL

Here are some things you’ll need to get started before starting to secure Apache on Ubuntu:

⦁ One server running Ubuntu.
⦁ Using a user account with root permissions or Sudo access.
⦁ Only a fully registered domain name can receive an SSL certificate. It must be set to your public IP address.

Step 1: Operating System Update

Before starting, ensure that you have the most recent versions of all installed software by updating to Ubuntu 22.04:

sudo apt update && sudo apt -upgrade -y

Step 2: Apache installation on Ubuntu 22.04

The following command will install Apache using the apt package manager.

$ sudo apt install apache2

The following commands will start the Apache service and set it up to launch automatically:

$ sudo systemctl start apache2
$ sudo systemctl enable apache2

The systemctl status command can be used to check on the health of the Apache service.

$ sudo systemctl status apache2

Output:

apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/ system/ systemd/ apache2.service; enabled, vendor preset: enabled)
Active: active (running)
Docs: https://httpd.apache.org/docs/2.4/
Process: 3170 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
………

Step 3: Set Up Certbot

Let’s Encrypt’s Certbot software must be installed on the server before obtaining an SSL certificate. For this, you’ll make use of Ubuntu’s built-in package repositories.

First, make sure the local package index is up to date:

sudo apt update

Certbot and python3-certbot-apache are required packages. You can use the latter to automate the process of obtaining a certificate and setting up HTTPS on your web server. This plugin integrates Certbot with Apache:

sudo apt install certbot python3-certbot-apache

Pressing Y and then ENTER will confirm the installation.

Your server has been updated with Certbot. The next thing to do is double-check Apache’s settings to ensure your virtual host is configured correctly. This way, the certbot client software will automatically detect your domains. Your web server will be reconfigured to use your newly generated SSL certificate.

Step 4: Apache Virtual Host Configuration Verification

Before starting to secure Apache on Ubuntu using SSL, Certbot needs access to the appropriate virtualhost in your Apache config files.

Virtualhosts are specific web host that offers services for virtual machines. Data, applications, and services can be hosted on many virtual servers, storage, and hybrid systems. It includes all the tools and business models that put computing infrastructure solutions and services within reach of consumers and enterprises over the web.

Put your domain on virtual hosting. Your domain’s VirtualHost block, with the ServerName and ServerAlias directives, should already exist in /etc/apache2/sites-available/your domain.conf.

Open the virtual host file for your domain in nano or another text editor to make sure everything is set up correctly:

$ sudo nano /etc/apache2/sites-available/your_domain.conf

Look for the lines labeled ServerName and ServerAlias. The proper order of these items is as follows:

...
ServerName your_domain;
...

If your ServerName and ServerAlias are already configured this way, you may close the text editor and proceed to the next section. Make the necessary changes to your virtual host setup to resemble the illustrative one. To exit nano after making necessary adjustments, hit CTRL+X, then Y, and finally, ENTER. Next, after completing the required adjustments, run this command:

$ sudo apache2ctl configtest

The appropriate response would be “Syntax OK.” If you encounter a problem, try reopening the virtual host file to see if any characters were left out or mistyped. You must reload Apache for the new syntax to take effect in the configuration file.

$ sudo systemctl restart apache2

This modification will allow Certbot to locate the relevant VirtualHost block for updating.

The next step is to modify the firewall settings to permit HTTPS connections.

Step 5: Authorize HTTPS Traffic Over the Firewall

Your ufw firewall’s settings must be adjusted to allow HTTPS traffic if you’ve enabled it per the prerequisites section’s advice if you want to secure Apache on Ubuntu. Installing ufw on Ubuntu makes modifying the firewall rules for HTTP and HTTPS traffic easy, thanks to the included profiles.

The following command will display the current setting:

$ sudo ufw status

This command’s output, demonstrating that only HTTP traffic is permitted into the web server, should be like the following:

Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
WWW ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
WWW (v6) ALLOW Anywhere (v6)

If you want to allow more HTTPS traffic, you need to turn on the “WWW Full” profile and disable the “WWW” profile twice:

$ sudo ufw allow 'WWW Full'
$ sudo ufw delete allow 'WWW'

The result is like this:

$ sudo ufw status

Output:

Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
WWW Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
WWW Full (v6) ALLOW Anywhere (v6)

Step 6: Get an SSL Certificate for Apache

Now’s the time to secure Apache on Ubuntu using SSL. Many plugins extend Certbot’s functionality and allow SSL certificates to be acquired in various ways. The Apache plugin will rewrite the Apache configuration and reload it when necessary. To activate this plugin, enter the following:

sudo certbot -apache -d your_domain –d www. Plus your domain

This enables certbot’s —apache plugin, and the -d option lets you specify which names should validate their certificates.

The first time you launch certbot, you’ll be asked to enter your full email address and accept the terms of usage/service. In addition, the Electronic Frontier Foundation may request your email address if you choose to provide it. A charitable organization that promotes computer security and is responsible for developing Certbot. If you’re comfortable with others accessing your email address, please type Y; otherwise, type N.

After this is complete, certbot will communicate with the Let’s Encrypt server and perform a test to ensure you have administrative privileges for the domain whose certificate you request.

If all goes as planned, certbot will inquire as to how you wish to set up your HTTPS. Choose your choice and press ENTER to proceed. Once you select it, Apache will be reloaded, and its configuration will be updated automatically. At the end of the process, certbot will indicate its success and provide the location where your certificates have been saved.

We have successfully downloaded, installed, and loaded your certificates. You should reload the page using the secure protocol (https://) and watch the lock icon in your browser. A green lock icon will usually indicate that the site is secure. The SSL Labs Server Test is a third-party tool that can confirm your certificate’s quality and provide further information.

Step 7: Confirming Certbot’s Automatic Renewal Status

There is a 90-day time limit on using Let’s Encrypt certificates. This is done to prevent certificates from being misused or stolen for an extended period and to encourage users to automate the renewal process.

Your certbot installation includes a renewed script in /etc/cron.d maintained by the certbot.timer systemctl service. If a certificate expires within 30 days, this script will run twice a day and renew it automatically.

To ensure that this service is up and running, use the following command

sudo systemctl status certbot.timer

Your output will look somewhat like this:

certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset:>
Active: active (waiting) since Sat 2023-05-17 22:24:48 UTC; 8min 1s ago
Trigger: Tue 2023-05-16 00:56:53 UTC; 5h 2min left
Triggers: ● certbot.service

Apr 14 15:52:46 jammy-encrypt systemd[1]: Started Run certbot twice daily.

To ensure your renewal goes smoothly, you can execute a dry run with certbot.

sudo certbot renew --dry-run

Certbot will automatically reissue fresh certificates and reload Apache as necessary. Let’s Encrypt will notify you via the supplied email address before your certificate expires if the automated renewal process fails. This was all you should know on how you can secure Apache on Ubuntu using SSL.

FAQ

What is SSL and why is it important for securing Apache on Ubuntu?

SSL (Secure Sockets Layer) is a security protocol that provides secure communication over the internet by encrypting data between a web server and a client. It is important because it aids in protecting very sensitive information.

How can I install SSL on Apache in Ubuntu?

You can install SSL on Apache in Ubuntu by installing the OpenSSL package and generating a self-signed SSL certificate using the OpenSSL command line tool. Once you have generated the SSL certificate, you can configure Apache to use SSL by modifying the Apache configuration file.

How can I configure Apache to redirect HTTP requests to HTTPS in Ubuntu?

You can configure Apache to redirect HTTP requests to HTTPS in Ubuntu by adding a rewrite rule to the Apache configuration file. This rule will redirect all HTTP requests to HTTPS and ensure that all communication between the web server and the client is encrypted.

How can I enable HSTS (HTTP Strict Transport Security) on Apache in Ubuntu?

You can enable HSTS on Apache in Ubuntu by adding the HSTS header to the Apache configuration file. This header instructs the client's browser to always use HTTPS when communicating with the web server, even if the user types in the URL with HTTP.

How can I test the SSL configuration on Apache in Ubuntu?

You can test the SSL configuration on Apache in Ubuntu by using an online SSL checker tool or by using the OpenSSL command line tool to check the SSL certificate and configuration. Additionally, you can use your web browser to verify that the SSL certificate is valid and that the communication between the web server and the client is encrypted.

Conclusion

Kudos, your domain’s Let’s Encrypt SSL certificate has been successfully installed. Now, you can quickly secure Apache on Ubuntu. Using this tutorial, you set up the certbot Let’s Encrypt. Here, you obtained an SSL certificate for your domain, installed it, and set up automatic renewal in Apache. if you have any questions about getting started, you can contact us.